Adding Detection Overrides from Scan Results!?

Discussion in 'Prevx Releases' started by SvS, Jun 29, 2009.

Thread Status:
Not open for further replies.
  1. SvS

    SvS Security Expert

    Joined:
    Aug 28, 2004
    Posts:
    57
    Today my scheduled Prevx scan came up with a false positive (detected as Low Risk Adware - the file is marked as "under review" on the Prevx site):

    [29/6/2009 21:38] The file [c:\users\...\appdata\roaming\updatestar\updatestar.exe] contains a threat of type [Low Risk Adware] - Identity: C46E9A16F0703D5BE0DB47C12DB63A00F1129BEF
    [29/6/2009 21:38] The file [\??\C:\Users\...\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\UpdateStar.lnk] contains a threat of type [Infected Entry: [updatestar.exe]] - Identity: C46E9A16F0703D5BE0DB47C12DB63A00F1129BEF
    [29/6/2009 21:38] The file [\REGISTRY\User\S-1-5-21-3888176665-2650448977-3160213159-1000\Software\Microsoft\Windows\CurrentVersion\Run] contains a threat of type [Infected Entry: [UpdateStar]] - Identity: C46E9A16F0703D5BE0DB47C12DB63A00F1129BEF

    So, being pretty sure that this not adware I used the "Report this file as false positive" link from the scan results screen for all three detections.

    The file c:\users\...\appdata\roaming\updatestar\updatestar.exe was correctly added to the list of detection overrides, however the shortcut and the AutoRun entry were not added to this list. There appeared two completely unrelated files there instead:

    C:\Windows\system32\msxml3.dll
    and
    C:\Windows\system32\fdeploy.dll

    Which are both part of the Windows Vista OS and are not related in any way to the shortcut and autorun entry I wanted to exclude... o_O
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    I suspect this is an issue when marking the associated entries - they are automatically allowed when the root file is allowed and don't need to be allowed separately but this is most likely a bug when handling non-file overrides.

    In the meantime, I've corrected the single detection which was a heuristic FP and if you run another scan it should reset the other files and your status to clean.

    Let me know if you experience any other issues or have any other questions!
     
Thread Status:
Not open for further replies.